Experimental implementation of bit commitment in the noisy-storage model 
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Fundamental primitives such as bit commitment and oblivious transfer serve as building blocks for 
many other two-party protocols. Hence, the secure implementation of such primitives are important 
in modern cryptography. In this work, we present a bit commitment protocol which is secure as 
long as the attacker's quantum memory device is imperfect. The latter assumption is known as 
the noisy-storage model. We experimentally executed this protocol by performing measurements 
on polarization-entangled photon pairs. Our work includes a full security analysis, accounting for 
all experimental error rates and finite size effects. This demonstrates the feasibility of two-party 
protocols in this model using real-world quantum devices. Finally, we provide a general analysis of 
our bit commitment protocol for a range of experimental parameters. 



I. INTRODUCTION 

Traditionally, the main objective of cryptography has 
been to protect communication from the prying eyes of an 
eavesdropper. Yet, with the advent of modern commu- 
nications new cryptographic challenges arose: we would 
like to enable two parties, Alice and Bob, to solve joint 
problems even if they do not trust each other. Exam- 
ples of such tasks include secure auctions or the problem 
of secure identification such as that of a customer to an 
ATM. Whereas protocols for general two-party crypto- 
graphic problems may be very involved, it is known that 
they can in principle be built from basic cryptographic 
building blocks known as oblivious transfer |l| and bit 
commitment. 

The task of bit commitment is thereby particularly 
simple and has received considerable attention in quan- 
tum information. Intuitively, a bit commitment protocol 
consists of two phases. In the commit phase, Alice pro- 
vides Bob with some form of evidence that she has chosen 
a particular bit C € {0, 1}. Later on in the open phase, 
Alice reveals C to Bob. A bit commitment protocol is 
secure, if Bob cannot gain any information about C be- 
fore the open phase, and yet, Alice cannot convince Bob 
to accept an opening of any bit C =/= C. 

Unfortunately, it has been shown that even using quan- 
tum communication none of these tasks can be imple- 
mented securely Note that in quantum key distri- 
bution (QKD), Alice and Bob trust each other and want 
to defend themselves against an outsider Eve. This allows 
Alice and Bob to perform checks on what Eve may have 
done, ruling out many forms of attacks. This is in sharp 
contrast to two-party cryptography where there is no Eve 
and Alice and Bob do not trust each other. Intuitively, it 
is this lack of trust that makes the problem considerably 
harder. Nevertheless, because two-party protocols form 
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a central part of modern cryptography, one is willing to 
make assumptions on how powerful an attacker can be 
in order to implement them securely. 

Here, we consider physical assumptions that enable us 
to solve such tasks. In particular, can the sole assumption 
of a limited storage device lead to security? 0| This is 
indeed the case and it was shown that security can be 
obtained if the attacker's classical storage is limited 0,I1]- 
Yet, apart from the fact that classical storage is cheap 
and plentiful, assuming a limited classical storage has 
one rather crucial caveat: If the honest players need to 
store N classical bits to execute the protocol in the first 
place, any classical protocol can be broken if the attacker 
can store more than roughly TV 2 bits [9|. 

Motivated by this unsatisfactory gap, it was thus sug- 
gested to assume that the attacker's quantum storage 
was bounded fl0l - fl4j |. or more generally, noisy fl5l - [r7| . 
The central assumption of the noisy-storage model is that 
during waiting times At introduced in the protocol, the 
attacker can only keep quantum information in his quan- 
tum storage device J- '. The exact amount of noise can 
depend on the waiting time. Otherwise, the attacker may 
be all-powerful. In particular, he can store an unlimited 
amount of classical information, and perform any com- 
putation instantaneously without errors. Note that the 
latter implies that the attacker could encode his quantum 
information into an arbitrarily complicated error correct- 
ing code, to protect it from noise in his storage device T . 

The assumption that storing a large amount of quan- 
tum information is difficult is indeed realistic today, as 
constructing large scale quantum memories that can store 
arbitrary information successfully in the first attempt has 
proved rather challenging. We emphasize that this model 
is not in contrast with our ability to build quantum re- 
peaters, where it is sufficient for the latter to store quan- 
tum states while making many attempts. A review on 
quantum memories can be found in ll8i . and numerous 
recent work can also be found in jl9M 21l | . While noting 
that perpetual advances in building quantum memories 
fundamentally affect the feasibility of all protocols in the 
noisy storage model, yet we will explain below that given 
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any upper bound on the size and noisiness of a future 
quantum storage device, security is in fact possible - we 
merely need to send more qubits during the protocol. 

In this work, we have implemented a bit commitment 
protocol that is secure under the noisy storage assump- 
tion. We provide a general security analysis of our pro- 
tocol for a range of possible experimental parameters. 
The parameters of our particular experiment are shown 
to lie within the secure region. The storage assumption 
in our work is such that a cheating party cannot store 
more than approximately 900 qubits, which is a reason- 
able physical constraint given modern day technology of 
storing quantum information. 

II. RESULT 
The Noisy Storage Model 

To state our result, let us first explain what we mean by 
a quantum storage device, and how does an assumption 
regarding these devices translate to security conditions in 
the noisy storage model. A more detailed introduction 
to the model can be found in e.g. [l7| . 

Of particular interest to us arc storage devices consist- 
ing of S " memory cells" , each of which may experience 
some noise N itself. Mathematically, this means that the 
storage device is a quantum channel [mathematically, a 
completely positive trace preserving map (CPTPM)] of 
the form T = TV® 5 where N : B{C d ) -> B(C d ) is a noisy 
channel acting on each memory cell mapping input states 
to some noisy output states. For example, a noise-free 
storage device consisting of S qubits (i.e.,d = 2) corre- 
sponding to the special case of bounded storage [lH is 
given by JF = if where I2 is the identity channel with 
one qubit input and one qubit output. Another exam- 
ple is a memory consisting of S qubits, each of which 
experiences depolarizing noise according to the channel 
M r (p) = rp + (1 — r)§. The larger r is, the less noise 
is present. Yet another example is the erasure channel, 
which models losses in the storage device. 

It is indeed intuitive that security should be related 
to "how much" information the attacker can squeeze 
through his storage device. That is, one expects a re- 
lation between security and the capacity of T to carry 
quantum information. Indeed, it was shown that security 
can be linked to the classical capacity [l7| , the entangle- 
ment cost [12] , and finally the quantum capacity [23| of 
the adversary's storage device J- . 

When evaluating security, we start with a basic as- 
sumption on the maximum size and the minimum 
amount of noise in an adversary's storage device. Such an 
assumption can for example be derived by a cautious es- 
timate based on quantum memories that are available to- 
day. Note that these assumptions are for memories that 
can store arbitrary states on first attempt. Such memo- 
ries presently exist for a handful of qubits. Given such 
an estimate, we then determine the number of qubits we 



need to transmit during the protocol to effectively over- 
flow the adversary's memory device and achieve security. 



Protocol and its security 

We consider the bit commitment protocol from [TtJ 
with several modifications to make it suitable for an ex- 
perimental implementation with time-correlated photon 
pairs. Figure Q] provides a simplified version of this mod- 
ified protocol without explicit parameters - the explicit 
version can be found in the Supplementary Methods. In 
the Supplementary Methods, we also provide a general 
analysis that can be used for any experimental setup (de- 
tails on our particular experiment are also provided in the 
same section). 

To understand the security constraints, we first need 
to establish some basic terminology. In our experiment, 
Alice holds the source, and both Alice and Bob have four 
detectors, each one corresponding to one of the four BB84 
states [lfll- If Alice or Bob observes a click of exactly 
one of their detectors {symmetrized with the procedure 
outlined in Supplementary Methods), we refer to it as a 
valid click. Cases where more than one detector clicks at 
the same instant on the same side are ignored. A round 
is defined by a valid click of Alice's detectors. A valid 
round is where both parties Alice and Bob registered a 
valid click in a corresponding time window, i.e., where a 
photon pair has been identified. 

First, to deal with losses in the channel we introduce a 
new step in which Bob reports a loss if he did not observe 
a valid click. Second, to deal with bit flip errors on the 
channel, we employ a different class of error-correcting 
codes, namely a random code. Usage of random codes is 
sufficient for this protocol since decoding is not required 
for honest parties. The main challenge is then to link the 
properties of random codes to the protocol security. 

Before we can argue about the correctness and secu- 
rity of the proposed protocol, let us introduce four crucial 
figures of interest that need to be determined in any ex- 
perimental setup. The first two are the probabilities Pg eat 
and PsontJ that none or just a single photon was sent to 
Bob respectively, conditioned on the event that Alice ob- 
served a round. The third is the probability p 1 ^ noc i ick 
that honest Bob registers a round as missing, i.e. Bob 
does not observe a valid click when Alice does. Again, 
this probability is conditioned on the event that Alice 
observed a round. Note that by no-signalling, Alice's 
choice of better (or worse) detectors should not influence 
the probability of Bob observing a round. Finally, we 
will need the probability p m of a bit flip error, i.e. the 
probability that Bob outputs the wrong bit even though 
he measured in the correct basis. 

Naturally, since Alice and Bob do not trust each other, 
they cannot rely on each other to perform said estima- 
tion process. Note, however, that the scenario of inter- 
est in two-party cryptography is that the honest parties 
essentially purchase off the shelf devices with standard 
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properties, for which either of them could perform said 
estimate. It is only the dishonest parties who may be us- 
ing alternate equipment. Another way to look at this is 
to say that there exists some set of parameters (i.e., max- 
imum losses, maxmium amount of noise on the channel, 
etc) such that an honest party has to conform to these 
requirements when executing the protocol. 

Let us now sketch why the proposed protocol remains 
correct and secure even in the presence of experimental 
errors. A detailed analysis is provided in the Supplemen- 
tary Methods. In our analysis, we take the storage de- 
vice T, as well as a fixed overall security error e as given. 
Let M be the number of rounds Alice registers during 
the execution of the protocol. Let n be the number of 
valid rounds. In the description of theoretical parameters 
found in the Supplementary Methods, it is shown that M 
and n are directly related to each other, given some fixed 
experimental parameters. In particular, n is a function 
of M and pl noclick 
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We can now ask, how large does M (or equivalently n) 
need to be in order to achieve security. If n is very small, 
for example if n rj 100, it is relatively easy to break the 
protocol since a cheating party might be able to store 
enough qubits. Also many terms from our finite n anal- 
ysis reach convergence only for sufficiently large n. As 
these terms depend on experimental parameters, secu- 
rity can be achieved for a larger range of experimental 
parameters if n is large. By fixing the assumption on 
quantum storage size, experiment parameters and secu- 
rity error values, our analysis allows us to determine a 
value of n where security is achievable. 

Correctness: First of all, we must show that if Alice 
and Bob are both honest, then Bob will accept Alice's 
honest opening of the bit C. Note that the only way 
that honest Bob will reject Alice's opening is when too 
many errors occur on the channel, and hence part 2 of 
Bob's final check (see Figure [T]) will fail. A standard 
Chernoff style bound using the Hoeffding inequality [24| 
shows the probability of this event is small, i.e., that the 
deviation from the expected number of Pc^n errors is not 
too large. 

Security against Alice: Second, we must show that 
if Bob is honest, then Alice cannot get him to accept 
an opening of a bit C ^ C. In our protocol, Alice is 
allowed to be all powerful, and is not restricted by any 
storage assumptions. If she is dishonest, we furthermore 
assume that she can even have perfect devices and can 
eliminate all errors and losses on the channel. The first 
part of our analysis, i.e., the analysis of the steps before 
the syndrome is sent is thereby identical to [25[ (see Fig- 
ure Q]) . More precisely, it is shown that up to this step 
in the protocol, a string X n £ {0, 1}™ is generated such 
that Bob knows the bits X% for a randomly chosen sub- 
set IC {1, . . . , n}, where Xj corresponds to the entries 
of the string X n indexed by the positions in X. If Alice 
is dishonest, we want to be sure at this stage that she 



A. Commit Phase 



Alice and Bob agree on an eror correcting code specified by the parity check matrix H. 



■ Observe one side ot an entangled photon pair 
source by measuring polarization of photons 
in a randomly chosen basis and tor each 
photon records the basis 9, and bit value Xj. 

■ Send timing tA of valid clicks to Bob. 



- Check if rounds reported missing by Bob are 
within acceptable range. If so, continue. 

■ From the bit values recorded, Alice obtains a 
binary string X n ot length n. 



- Observe the other side of the photon 
pair source by measuring photons in 
a randomly chosen basis 6j and 
records result X ; 

- Identify valid rounds by finding 
matching valid clicks for timings t A . 

- Inform Alice about missing rounds. 



Both parties wait for time At. 



- Send basis information to Bob. 



■ Compute syndrome w. 

■ Choose a 2-universal hash function r. 

■ Send w and r to Bob. 

■ Compute D = Ext(X n , r} and send . 
E = C © D to Bob. 



- Compare Alice's basis against his. 

- Compute: 

1. set 1 = { i e [n] | Bj = 6; } 

2. substring X| = {Xi|iel) 



- Store w, r and E. 



B. Open Phase 

- Send X r to Bob. 

- Send committed bit C to Bob. 



■ Compute: 

1 . syndrome using X n and H. 

2. committed bit A = Ext(X", r) ffi E. 

■ Check that: 

1 . Syn(X n ) = w and A = C. 

2. X n and X| agree except for 
expected number of errors. 



| Are the checks satisfied? | 
Accept commitment.1 iReject commitment.! 



FIG. 1: Flowchart of the bit commitment protocol. This 
protocol allows Alice to commit a single bit C £ {0, 1}. Al- 
ice holds the source that creates the entangled photon pairs. 
The function Syn maps the binary string X n to its syn- 
drome as specified by the error correcting code. The function 
Ext : {0, 1}™ ® 1Z — > {0, 1} is a hash function indexed by r, 
performing privacy amplification. We refer to the Supplemen- 
tary Methods for a more detailed statement of the protocol 
including details on the acceptable range of losses and errors. 
Note that the protocol itself does not require any quantum 
storage to execute. 



cannot learn X, that is, she cannot learn which bits of 
X n are known to Bob. In the original protocol without 
experimental imperfections [l7j this was trivially guar- 
anteed because Bob never sent any information to Alice. 
In this practical protocol, however, Bob does send some 
information to Bob, namely which rounds are valid for 
him, i.e., when he saw a click. In [25j it was simply as- 
sumed that the probability of Bob observing a loss is the 
same for all detectors, and hence in particular also in- 
dependent of Bob's basis choice. This is generally never 
the case in practise. However, by symmetrizing the losses 
as outlined in the Supplementary Methods, one can en- 
sure that the losses become the same for all detectors. In 
essence, this procedure probabilistically adds additional 
losses to the better detectors such that in the end all 
detectors are as lossy as the worst one. As Bob's losses 
are then independent of his basis choice, i.e., the detec- 
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tor, this is means that Alice cannot gain any information 
about X when Bob reports some rounds as being lost. 

The second part of the protocol and its analysis uses 
the string A™ and Bob's partial knowledge X% to bind 
Alice to her commitment. First, we have that properties 
of the error-correcting code ensure that if the syndrome 
of the string (Syn(A™) in Figure [1]) matches and Alice 
passes the first test, then she must flip many bits in the 
string to change her mind. In the original protocol of (l7j 
sending Bob the syndrome of X n ensured that she must 
change at least | bits of X n where d is the distance of 
the error-correcting code, such that Bob will accept the 
syndrome to be consistent. However, since Alice does not 
know which bits Xi are known to Bob she will get caught 
with high probability. This due to the fact that with 
probability 1 — (1 /2) d / 2 Alice changed at least a bit known 
to Bob, and in the perfect case Bob aborts whenever a 
single bit is wrong. As we have to deal with experimental 
imperfections we cannot have that Bob aborts whenever 
a single bit is wrong, as bit flip errors on the channel 
likely lead errors even when Alice is honest. As such the 
difference to the analysis of [13] is that Bob must accept 
some incorrect bits in part two of his final check (see Fig- 
ure [!}. Our argument is nevertheless quite similar, but 
does require a careful tradeoff involving all experimen- 
tal parameters between the distance of the code and the 
syndrome length (see below). We hence use a different 
error-correcting code as compared to [13]. In particu- 
lar, we use a random code which has the property that 
with overwhelming probability its distance is large (i.e. 
it is hard for Alice to cheat), while nevertheless having 
a reasonably small syndrome length (sec Supplementary 
Discussion). The latter will be important in the security 
analysis below when Alice herself is honest. 

Security against Bob: Finally, we must show that 
if Alice is honest, then Bob cannot learn any information 
about her bit C before the open phase. Again, dishonest 
Bob may have perfect devices and eliminate all errors and 
losses on the channel. His only restriction is that during 
the waiting time At he can store quantum information 
only in the device J- . 

We first show that Bob's information about the en- 
tire string X n is limited. We know from [TtJ that Bob's 
min-entropy about the string X n before Alice sends the 
syndrome, given all his information including his quan- 
tum memory can be bounded by 

H min (A" | Bob) > - log P s r cc ( Rn ) , (2) 

where P^ cc (Rn) is the maximum probability of trans- 
mitting Rn randomly chosen bits through the chan- 
nel T where R is called the rate. This rate is de- 
termined using a novel uncertainty relation that we 
prove for BB84 measurements, and all experimental pa- 
rameters. The min-entropy itself can thereby be ex- 
pressed as H m j n (A' rl | Bob) = — logP guoss (A n |Bob), where 
P guess (A™|Bob) is the probability that Bob guesses the 
string A™, maximized over all measurements that he can 
perform on his system [26j |. 



As Alice sends the syndrome to Bob, Bob gains some 
additional information which reduces his min-entropy. 
More precisely, it could shrink at most by the length of 
the syndrome, i.e., 

H min (A n |Bob,Syn(A™)) > H min (A"|Bob) - log |Syn(A™)| . 

(3) 

Note that this is the reason why we asked for the error- 
correcting code to have a short syndrome length above. 

Finally, we show that knowing little about all of X n 
implies that Bob cannot learn anything about C itself. 
More precisely, when Alice chooses a random two uni- 
versal hash function Ext(-, R) and performs privacy am- 
plification [27j , Bob knows essentially nothing about the 
output Ext (A™, R) = D whenever his min-entropy about 
X n is sufficiently large. The bit D then acts as a key to 
encrypt the bit C using a one-time pad. Since Bob can- 
not know D, he also cannot know C. Our analysis is 
thereby very similar to [13] , requiring only a very careful 
balance between the distance of the error-correcting code 
above, and the syndrome length. 

We provide a detailed analysis in the Supplementary 
Methods, where a general statement for arbitrary storage 
devices is included. Especially for the case of bounded 
storage T = lf s , we can easily evaluate how large M 
needs to be in order to achieve security against both Alice 
and Bob, when an error parameter e is fixed. The total 
execution error of the protocol is obtained by adding up 
all sources of errors throughout the protocol analysis. 

The case where Alice and Bob are both dishonest is not 
of interest, because the aim of this protocol is to perform 
correctly while both players arc honest, and protect the 
honest players from dishonest players. 



Experiment 

We have implemented a quantum protocol for bit com- 
mitment that is secure in the noisy-storage model. For 
this, n = 250 000 valid rounds (see below) were used 
at a bit error rate of p crr = 4.1% (after symmetriza- 
tion) to commit one bit with a security error of less than 
e = 2 x 10~ 5 . Note that e is the final correctness and 
security error for the execution of bit commitment in 
our experiment. This protocol is secure under the as- 
sumption that Bob's storage size is no larger than 972 
qubits, where each qubit undergoes a low depolarizing 
noise with a noise parameter r — 0.9 (see Supplemen- 
tary Methods Section D). We stress that our analysis 
is done for finite n, and all finite size effects and errors 
are accounted for. The e includes the error in the choice 
of random code in the protocol, finite size effects that 
need to be bounded, smoothing parameters from an un- 
certainty relation, etc. Our experimental implementation 
demonstrates for the first time that two-party protocols 
proposed in the bounded and noisy-storage models are 
well within today's capabilities. 
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III. DISCUSSION 



We demonstrated, for the first time, that two-party 
protocols proposed in the bounded and noisy-storage 
models can be implemented today. We emphasize that 
whereas - like so many experiments in quantum infor- 
mation - our experiment is extremely similar to QKD 
the experimental parameter requirements and analysis is 
entirely different to QKD. Where there are many exper- 
iments carrying out QKD, there are only a handful of 
implementation results for two party protocols [HI, H3] ■ 
Bit commitment is one of the most fundamental proto- 
cols in cryptography. For example, it is known that with 
bit commitment, coin tossing can be built. Also using ad- 
ditional quantum communication we can build oblivious 
transfer [35|, which in turn enables us to solve any two- 
party cryptographic problem [lj. In the Supplementary 
Methods, we provided a detailed analysis of our modified 
bit commitment protocol including a range of parameters 
for which security can be shown. Our analysis could be 
used to implement the same protocol using a different, 
technologically simpler setup, with potentially lower er- 
ror rates or losses. Our analysis can also address the case 
of committing several bits at once. 

It would be interesting to sec implementations of other 
protocols in the noisy-storage model. 

Finally, note that our analysis rests on a fundamen- 
tal assumption made in in the analysis of all crypto- 
graphic protocols, namely that Alice does not have access 
to Bob's lab and vice versa. In particular, this means that 
Alice cannot tamper with the random choices made by 
Bob, potentially forcing him to measure e.g. only in one 
basis, or by maniplating apparent detector losses j36l.[37j. 



IV. METHODS 



Parameter ranges 

Our theoretical analysis shows security for a general 
range of parameters as illustrated in Figures [2l [3] and |U 
A fully general theoretical statement can be found in the 
Supplementary Methods. These plots demonstrate that 
security is possible for a wide range of parameters, of 
which our particular implementation forms a special case. 
The plots are done for fixed values of n = 250000 and a 
total execution error of e = 3 • 10~ 4 , unless otherwise 
indicated. Finally, Bob's storage size is quantified by 
S, the number of qubits that Bob is able to store. The 
plots assume a memory of S qubits, where each qubit 
undergoes depolarizing noise with parameter r = 0.9. 
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FIG. 2: Security region for p scn t versus Pb, nociick* 

Plots 

were done for distinct values of p crr , while storage size is fixed 
S = 2500, and p B , nociick = 0. For small values of p B , nociick 
(large amounts of losses), there exists a threshold on pl ent 
for the protocol to be secure. This threshold increases with 
Pcrr, and for extremely small storage rates, it gives a maximal 
tolerable p crr ~ 0.046. 
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FIG. 3: Security region for some typical parameter 
ranges. PB.nociick an d Pcrr quantify the amount of erasures 
and errors in the protocol. For higher summation values of 
Pb nociick +Pscnt , the less multi-photons Bob gets, and erasures 
have less impact on the protocol security. This implies if the 
source is ideal, the protocol remains secure for large values of 
erasures. Dependences in the security region between erasures 
and errors also become more obvious when Pb nociick "f" Psent is 
low. Furthermore, large assumptions on S directly decrease 
the amount of min-entropy, causing tolerable p err to drop con- 
sistently for all amounts of erasures. 
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FIG. 4: Security region for different storage size S and 



error rate p crr , with pl cnt = 0.765, and p B ■ 



= 0.234 



fixed. This plot shows a monotonic decreasing trend for tol- 
erable p crr w.r.t storage size S. The sharp cut-off for S varies 
with Pb noclick; smce with lower detection efficiency, dishonest 
Bob can report more missing rounds, hence the lower his stor- 
age size has to be for security to hold. Also, the plot shows 
security for mostly low values of storage rate. The result is 
non-optimal, since it has been shown [23] that security can 
be achieved with arbitrarily large storage sizes, if the depo- 
larizing noise parameter r < 0.7. This is because we bound 
the smooth min-entropy of an adversarial Bob by the classical 
capacity of a quantum memory, while does so in terms of 
entanglement cost. Since the latter is generally smaller than 
the former, this poses a better advantage for security which 
is not shown in our analysis. 



Experimental Implementation 

We implement this protocol with a series of entangled 
photons, with the polarization degree of freedom forming 
our qubits. This allows for reliable measurements in two 
complementary bases. Basis 1 corresponds to horizon- 
tal/vertical (HV) polarization, and basis 2 to ±45° (+-) 
linear polarization. The polarization-entangled photon 
pairs are prepared via spontaneous parametric down con- 
version (SPDC), collected into single mode optical fibers, 
and guided to polarization analyzer (PA) located with 
Alice and Bob (see figure [5]). Each PA consists of a non- 
polarizing beam splitter (BS) providing a random basis 
choice, followed by two polarizing beam splitters (PBS) 
and a pair of silicon avalanche photodiodes (APD) as sin- 
gle photon detectors in each of the BS outputs. A half 
wave plate before one of the PBS rotates the polariza- 
tion by 45° degrees. This detection setup was used in a 
number of QKD demonstrations [28l— T30| . 

The SPDC source is similar to |30|, with a continuous 
wave free running laser diode (398 nm, 10 mW) pumping 
a 2 mm thick Barium-betaborate crystal cut for type-II 
non-collinear parametric down conversion and the usual 



PBS X 12 BS 




<-~ 






+ 


rV-± 












PBSyH 



PA 



TU 



Alice 




BS X 12 PBS 




--VI-H 


••> 






+ 




HyPBS 







PA 



HIT 



TU 



Bob 



FIG. 5: Experimental setup. Polarization-entangled pho- 
ton pairs are generated via non-collinear type-II spontaneous 
parametric down conversion of blue light from a laser diode 
(LD) in a barium-betaborate crystal (BBO), and distributed 
to polarization analyzers (PA) at Alice and Bob via single 
mode optical fibers (SF). The PA are based on a nonpolariz- 
ing beam splitter (BS) for a random measurement base choice, 
a half wave plate (A/2) at one of the of the outputs, and polar- 
izing beam splitters (PBS) in front of single-photon counting 
silicon avalanche photodiodes. Detection events on both sides 
are timestamped (TU) and recorded for further processing. A 
polarization controller (FPC) ensures that polarization anti- 
correlations are observed in all measurement bases. 



walk-off compensation to obtain polarization-entangled 
photon pairs [3l|. We collect photon pairs into single 
mode optical fibers such that we observe an average pair 
rate r p = 2997 ± 82 s" 1 . 

Such a source generates photon pairs in a stochastic 
manner, but with a strong correlation in time. There- 
fore, valid clicks are timestamped on both sides first. In 
a classical communication step, detection times t\, £b are 
compared, and valid rounds arc identified if valid clicks 
fall into a coincidence time window of r c = 3ns, i.e., 
|*a — *b | < T c/2, similar to [29[ with the code in (32|. 
The visibility of the polarization correlations in the Sin- 
glet state are 97.7 ±0.6% and 94.7 ±0.9% in the HV and 
45° linear basis. Individual detection rates on both sides 
are r A = 23758 ± 221s" 1 and r B = 22227 ± 247 s" 1 on 
Alice and Bob's side, respectively. In an initial alignment 
step, the fiber polarization controller was adjusted such 
that we see polarization correlations corresponding to a 
singlet state with a quantum bit error ratio (QBER) of 
about p CIT = 4.1%. The QBER is not to be confused with 
the failure probability of bit commitment protocol. Cal- 
culations of the latter are explicitly stated in the Supple- 
mentary Methods. As reported in the summarizing para- 
graph of our introduction, this quantity is much smaller 
than the former. 

For carrying out a successful bit commitment, we need 
to determine the parameters pl ent , p° ent , and p^ noclick . 
Depending on these probabilities and the desired error 
parameter e, we choose a particular error correcting code 
and number of rounds M needed for a successful bit 
commitment. To estimate these probabilities out of the 
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experimental parameters of our source/detector combi- 
nation, we model our setup by a lossless SPDC source 
emitting only photon pairs at a rate r s , and assign all im- 
perfections (losses, limited detection efficiency, and back- 
ground events) to the detectors at Alice and Bob. Since 
the coherence time of the photons in our case is much 
shorter than the coincidence detection time window r c , 
the distribution of photon pairs in time can be well de- 
scribed by a Poisson process, which allows an assessment 
of multiphoton events. A detailed derivation of bounds 
for the probabilities is given in the Supplementary Meth- 
ods, we just summarize the results necessary for evaluat- 
ing the security of the protocol: 
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1 - r p /r A = 0.875 ±0.009. 



(8) 



FIG. 6: Bias in measurements. Solid lines indicate the prob- 
abilities P(HV) of a HV basis choice for both Alice and Bob 
for data sets of 250000 events each. Dashed lines indicate 
the probability P(H) of a H in the HV measurement basis, 
the dotted lines the probability P(+) of a +45° detection in 
a ±45° measurement basis. These asymmetries arise form 
optical component imperfections and are corrected in a sym- 
metrization step. 
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Due to small differences in the detection efficiency of 
the APD and imperfections in polarization components 
in the actual experiment, there is an asymmetry in the 
probability of detecting each bit in each basis. Further- 
more, the beam splitter for the random measurement 
basis choice are not completely balanced. A summary 
of these imperfections over a number of bit commitment 
runs is shown in figure [U This can be corrected for by 
discarding rounds until the probabilities for both bits are 
equal. Discarded bits can be modeled as losses without 
affecting the security of the protocol. A detailed analysis 
of this can be found in the Supplementary Methods. 
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Supplementary Material 



I. SUPPLEMENTARY FIGURES 
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Supplementary Figure S3: Relative distance of ran- 
dom code versus code rate. A randomly generated code 
reaches the bound given in Theorem [1] with overwhelming 
probability. Meanwhile, the MRRW2 bound [3^] is the small- 
est upper bound derived up to the present, and it is not known 
if this bound is tight. It is also not known if there exists any 
linear binary codes at all between the two regions. 



Supplementary Figure SI: Model of experimental 
setup. An ideal source generates time-correlated photon 
pairs with a rate r s and sends them to detectors at Alice and 
Bob. The losses (due to all causes including source imperfec- 
tions and detection efficiencies) are modeled with attenuators 
with a transmission tja and r/B, respectively. To cater for 
dark counts in detectors, fluorescence background and exter- 
nal disturbances, we introduce background rates rbA^bB on 
both sides. Valid rounds are identified by a coincidence de- 
tection mechanism that recognizes photons corresponding to 
a given entangled pair. Event rates ta and re reflect measur- 



rate of identified coincidences. 



II. SUPPLEMENTARY TABLES 
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JPscnt 
PB.noclick 



Probability that a single photon was sent to Bob. 
Probability that honest Bob observes no click. 



Pes noclick Probability that dishonest Bob observes no click. 
Note: this value is equal to p|? ont , i.e., the 
probability that no photons were sent to Bob. 
Perr Probability that the measurement outcome for 

honest Alice and honest Bob is different, 
when the same basis is used for both parties. 

Supplementary Table SI: Parameters required for se- 
curity proof of bit commitment. All the above quantities 
are conditioned on the event that Alice registered a valid click. 



Supplementary Figure S2: The encoding and decod- 
ing of a message. A total of k bits were encoded into n 
bits and sent through the noisy channel, then recovered com- 
pletely after undergoing the transmission process. 
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III. SUPPLEMENTARY DISCUSSION 

Properties of Error-correcting codes 

A linear error-correcting code can be defined by 
specifying its parity check matrix H, which has di- 
mensions n x (1 — R)n. Given a vector x of length 
n, the parity check syndrome is simply Syn(x)=x-H. 38 1 

Recall that in our BC protocol, both parties agree 
on a code beforehand, and during the commit phase, 
Alice sends the syndrome to Bob. The syndrome mainly 
serves as a back-checking procedure for Bob during the 
open phase to confirm that Alice is honest. The longer 
the length of the syndrome, the more information about 
X n is given to Bob, and the harder it becomes for Alice 
to cheat. Both Alice and Bob agree on the code used, 
and for our purposes the complications in decoding is 
unnecessary, as an honest Bob never needs to decode. 

In the theory of error-correcting codes, a question 
of much significance is depicted in Supplementary 
Figures IS2I : given a scenario where information is 
sent through an unavoidable noisy channel, under what 
conditions does an encoding scheme exist such that the 
message can be recovered completely after undergoing 
the communication process? In other words, given a 
message Y comprising of k bits and a noisy channel for 
communication, what is the theoretical minimum length 
of encoded message n, such that the decoding can detect 
errors and recover Y accurately? 

It has been shown by Shannon that for the recovery 
of information to be possible, the fraction — has a the- 
oretical upper bound C, known as the capacity of the 
channel. For any value R = — > C, decoding is never 
possible. For a binary symmetric channel, the capacity 
is proven to be 

C B Sc(Perr) = 1 - h(p CII ), (S9) 

where 



errors. In the subsequent section, we investigate the rela- 
tion of parameters R and d for randomly generated codes, 
and show that random codes satisfy our requirements on 
these parameters for the protocol to be secure. 

Random Codes 

Given a parity check matrix constructed randomly, we 
are interested in what is the minimum distance of this 
code. This problem is a computationally NP-hard one, 
but we do know some probabilistic facts about the mini- 
mum distance, which is stated in the theorem below: 

Theorem 1. (Random codes, fsdll) Given a randomly 
generated binary linear code with rate R, the probabil- 
ity that minimum distance d is smaller than some Sn is 
bounded by the following: 

Pr[d < Sn] < 2 iR ~ Cs)7 \ for < S < 1. (Sll) 

For large block lengths, we can see that this bound 
approaches a step function where for rates R < C$, min- 
imum distance is expected to be larger than Sn except 
with extremely small probability. For our choices of 
block lengths, the randomly generated code will satisfy 
the bound on minimum distance whenever R < Cg, 
except for some minimal probability that is later added 
into the e-error of the protocol. We plot this bound 
in Supplementary Figures IS3I with respect to the pa- 
rameter S = ^, which we refer to as the relative distance. 

Given values of p orr and reasonably small error 
parameter e, by referring to the conditions for minimum 
distance derived in the security analysis, we obtain the 
upper bound on the achievable rate, namely C$. This 
guarantees that for small enough error rates p crr , it is 
sufficient to use a randomly generated code for the use of 
our protocol, which will provide us both a good enough 
distance and code rate, except with an extremely small 
probability. By using Theorem [1] we account for the 
probability of error and add it as a source of error for 
the execution of the protocol. 



h(Perr) = -Pen log 2 Pen ~ (1 ~ Pen) log 2 (l ~ Pen) (S10) 

is the binary entropy of the BSC channel. LDPC codes 



For values of code rate R strictly above the chan- 
nel capacity, the success probability of delivering the 
message is exponentially decreasing with code length 
regardless of the encoding/decoding scheme used. 

Besides the code rate, another important quantity of 
error-correcting codes is the minimum distance d. Given 
an error-correcting code, this quantity shows the mini- 
mum hamming distance between two strings that have 
the same parity check syndrome. The larger the mini- 
mum distance, the more effective a code is at correcting 



Random binary codes are generated by assigning 
values and 1 randomly to each element of the parity 
check matrix. They have a high density (large fraction 
of non-zero elements), which in large block length limit 
is time-consuming to deal with. For efficiency purposes, 
it is of interest whether we can construct codes with 
lower density (less non-zero values). 

In [3^|, Gallager has shown that a specific ensemble 
of low density codes do attain the same limit given 
for the random codes as above, when considering large 
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enough block lengths. These codes involve using random 
permutations of a submatrix, and the construction is 
straightforward. This type of codes can be of future in- 
terest, because their usage will shorten the calculational 
time used in the protocol. However, this is achieved at 
the expense of introducing an additional error probability 
of constructing a bad code (one with unsatisfactory min- 
imum distance), which is not straightforward to evaluate. 



way of assessing the losses reliably. We thus try to es- 
timate bounds of the required probabilities for the bit 
commitment protocol out of observable quantities both 
Alice and Bob can agree upon. For this purpose, we 
model losses and background events in our system in a 
way shown in Supplementary Figures IS11 

The rates (i.e., events per unit of time) observed at 
Alice are then given by 



?"A = VA(r s + r b A) 



(S12) 



Concatenated codes 

In the case of low bit-flip error, classes of explicit 
concatenated codes might be generated such that the 
minimum distance is guaranteed without introducing 
any probabilistic errors from a randomized construction. 
These codes are constructed by using a Reed-Solomon 
code as an outer code, while using a smaller binary lin- 
ear code as an inner code. We state the properties of 
such concatenated codes in the following theorem: 

Theorem 2 (Concatenated codes). Given a 
[n\, R\n\, d{\ outer code, and a linear binary code 
with parameters [77,2, i?2^2, 0I2] ■ Then the resulting 
concatenated code has parameters [n\n2, k\k2, d], where 
the code rate R = R1R2 and d > d\di- 

For example, by exploiting this construction, a linear 
binary concatenated code with rate R=0.53 and relative 
minimum distance S > 0.052 can be constructed, where 
the code length n = 311296. This value of 5 has a large 
discrepancy compared to the probabilistic argument for a 
random code. From here it is clearly shown that, if a def- 
inite statement regarding the minimum distance of such 
large error-correcting codes (without any probabilistic er- 
rors) is desired, one can still obtain security for smaller 
ranges of experimental parameters. For the given exam- 
ple of concatenated RS code, this corresponds to security 
for bit flip error rates p eTr < 0.02, which exceeds the value 
obtained in our experiment. 



IV. SUPPLEMENTARY METHODS 



A. Experimental parameters 



where 77A indicates the detection efficiency and t^a a 
background event rate; a similar expression holds for 
Bob. The observed coincidence rate in this model is given 
by 



(S13) 



where r acc reflects the so-called accidental coincidence 
rate, caused by detection events on both sides happening 
within the coincidence time window r c that are not due 
to valid clicks form the same photon pair. This rate can 
be bounded from observed rates r& and rs to 



< r 



(S14) 



assuming that all detection events on both sides are 
caused by uncorrelated events. In our experiment, this 
quantity would result in a value of r™^ x = 14.9i0.18s~ 1 , 
and is negligible compared to the observed coincidence 
rate r s . This quantity was independently assessed by 
recording the rate of detection time pairings tA,t-Q in a 
time window that was displaced by Td = 20 ns from the 
"true" coincidences, i.e., |£a — — Td| < t c [29]. We 
found a rate of r acc = 5.3±3.3s _1 over the course of 
several bit commitment runs. Since r acc <C r p , we from 
now on neglect these events in the rate estimations, and 
interpret their occurence just as events that increase the 
error ratio. 

To evaluate the probability pl ent that exactly one pho- 
ton was sent to Bob in the interval r c around a time when 
Alice has seen an event, we first consider the probability 
p° cnt that no photon was sent to Bob, given Alice has 
seen an event. This can only be caused by a background 
event with Alice. Thus, Pg Gnt equals the probability that 
a detection event on Alice's side is caused by background, 
which is given by 



To analyze our bit commitment protocol in any prac- 
tical experiment, several probabilities have to be deter- 
mined. Supplementary Tables IS 11 summarizes all the 
probabilities we will need to estimate. We emphasize 
that all such probabilities are conditioned on the event 
that Alice registers a round, i.e. sees a valid click. 

A difficulty in estimating the probabilities of success in 
a "round" arises from the fact that generation of photon 
pairs in a parametric down conversion source is a stochas- 
tic process. Furthermore, losses in the system may occur 
in the source or in detectors, and we do not have an easy 



r bA 
Pscnt 
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1 



= 1 - 



?7A?" S 



VA(r hA + r s ) 



= 1 - 



m r A 



rbA + r s 
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VAr s 



(S15) 



Since the efficiency ?7b is not known exactly, we set it to 
1 and thereby obtain an upper bound for Pg Cnt : 



Pso„t < 1 - — = 0.875 ± 0.009 



(S16) 
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Next, we consider the probability p" „t that more than 
one photon has been sent to Bob, given that Alice has 
seen an event. This probability is the product of the 
probability that Alice's event was caused by a photon 
pair, and the probability that at least one other pho- 
ton pair than the one causing the event on Alice's side 
was generated in the coincidence time window t c . From 
cquation lS151 the hrst probability is given by r p /(ryB^A)- 
For the latter, we consider the statistics of photon pairs 
emerging from a continuously pumped SPDC source. 
While light emerging from a downconversion process is 
known to follow thermal photon counting statistics, the 
coherence time of the photons in our case (0.73 ps for an 
optical bandwidth of 3nm) is much shorter than r c . In 
this case, the statistics of several photon pairs in time 
window r c follows a Poisson distribution. Since the cre- 
ation of an additional photon pair is then independent of 
the first photon pair, and the probability that no photon 
pair is created in t c is given by e~ rsT<: , the probability 
of creating at least one more photon pair is given by 
1 — e~ rsTc . This brings us to 
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-Fscnt 
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m r A 

r s r 

m r A 

r 2 
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(S17) 



The efficiencies ?/a, Vb are not accessible directly from 
the experiment, but can be bounded by 77 a > r v /r^ and 
Vb > fp/fh y i a IS12I With this, we can further bound 
expression IS17I and arrive at 



n>l 



< 



7ATB 



5.32 ± 0.17 x 10" 



(S18) 



which is much smaller than the uncertainty on p!? ont . 
With this, we arrive at 



Pscnt 



and 



^sent -Pscnt 



i 



■Pa 



„n>l 
/^scnt 



n>l 



> 0.125 ±0.009 



(S19) 



> 0.99947 ±0.000017 (S20) 



Finally, the probability for an honest Bob not seeing an 
event in a coincidence time window if Alice has detected 
something is the complement to the probability that Bob 
sees something if Alice has seen something. The latter, 
by definition, is given by the ratio r p /rA- Thus, we have 



<nociick = 1 - r P /r A = 0.875 ± 0.009 . 



B. Symmetrizing losses 



(S21) 



This will lead to imbalances in the choice of basis and 
the choice of BB84 encoded qubit. In our protocol, such 
imbalances affect the security in two places. First, if Alice 
is honest, but Bob is trying to cheat, such imbalances 
give him additional information about which bit or basis 
was used. His advantage is similar to the advantage that 
an eavesdropper in QKD would gain from knowing such 
extra information. Second, if Bob is honest, but Alice 
is trying to cheat, having higher losses in one basis docs 
reveal information to Alice in which basis Bob measured 
- if Bob does not report a loss it is more likely that he 
used the basis for which losses occur less often. 

We describe a method to deal with such imbalances 
securely - the same method can be used to address im- 
balances on Alice's and Bob's side. For simplicity, we 
outline the procedure in detail for Alice; exactly the same 
method can be used to symmetrize Bob's detectors. The 
essential idea is to make all detectors equally inefficient, 
by throwing away (i.e., declaring as lost) rounds where 
detectors with higher efficiencies registered a click. Note 
that in our protocol, Alice can discard additional rounds 
without consequences for security parameters. Mean- 
while, discarding additional rounds on Bob's side in- 
creases pg nociick- Detection events combining with such 
post-processing procedures, define the occurrence of a 
valid round. In other words, if a single click occurred 
on both sides and was not manually discarded for sym- 
metrizing purposes, this event is considered a valid round. 

In our setup, Alice has four detectors, one for each bit 
in each basis. Let x, 9 label the detector corresponding 
to a bit x G {0, 1} in basis 9 £ {0, 1}. Let pg denote the 
probability that basis 9 is chosen, and let p x \g denote the 
probability that bit x occurs given basis 9. Finally, let 
t x fi denote the probability that Alice keeps bit x in basis 
9 when the detector x, 9 clicks. That is, Alice discards 
bit x in basis 9 with probability 1 — t Xj g even though 
a click occurred. Our goal will be to determine the t Xt g 
that renders Pr[x, #|keep], the probability that x, 9 occurs 
conditioned on the event that Alice keeps a particular 
detection event the same for all x and 9. 

First of all, note that the probability that a particular 
detection event is not discarded, i.e. Alice accepts it as 
a round, can be written as 



Pr[keep] = ^ PePx\et x ,e 

x,6£{0,l} 



(S22) 



By Bayes' rule 



Pr M |keep] = ^E^MlZlM (S23) 



Pr[keep] 
t x ,ep x \6Pe 



(S24) 



Pr[keep] 

Ideally, all probabilities are the same, i.e., for all x and 9 



In practice, not all detectors have the same efficiency. 
Losses will be higher for some detectors than for others. 



Pr[ar, 0|keep] = - 



(S25) 
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This yields 4 equations, in 3 free parameters since 
J2x e^xfi = 1- These can easily be solved for t x> g. 

For our setup, the parameters for symmctrization on 
Alice' side are as follows: 



t ,i = 0.963077 
*i,o = 0.882305 
h i = 0.871353. 



(S26) 



Symmctrization on Bob's side is dealt with in the same 
manner. This however increases the value of Pg n ociick> 
since now an honest Bob deliberately throws away more 
clicks. This leads to a new value of 



"B.noclick 



1 - (1 - Ps.nociick) ' Pr [ kee P] 



(S27) 



For our setup, the parameters for symmctrization on 
Bob's side are: 



i ,o = 0.679745 
to,i = 1 

ii,o = 0.665591 
h i = 0.662890. 



(S28) 



The probability of Bob keeping a click during sym- 
metrization is Pr [keep] = 0.729646. This combining with 
the initial estimate of p^ nocUck gives p B ,nociick = 0.909, 
implying a high amount of losses. Even so, the protocol 
remains secure due to the fact that the source provides 
multi-photons to Bob with an extremely small proba- 
bility, whenever Alice observes only a single detection 
event. In other words, Pg Cnt + P B ,nociick 1S extremely high, 
as stated in (|S20[) . In such cases, even a high amount of 
losses do not compromise security of the protocol. 

Also, it should be stressed that p CTI should be evaluated 
for the set of data after all symmetrization procedures, 
since there can be bias in the error rates for each bit and 
basis. For the set of symmetrized data, p cir = 0.0412, in 
comparison with before symmetrization, p crr = 0.0428. 



The parameter e represents a fixed error parameter, 
i.e., we want to achieve security up to an error of O(e). 
This parameter is used to bound the occurrence proba- 
bility of bad events, and we need to frequently refer to 
it throughout the analysis. Such bounds are achieved by 
making use of the Hoeffding inequality It says that given 
a random variable Xj £ {0, 1}, where Pr(X; = 0) = 1— p, 
Pr(Aj = l)=p, and Y = T,f =1 X t we have 



Pr[F < [p-a)N] = Pr[Y~ > {p + a)N} 



-2cs TV 



(S29) 



The way we will use the Hoeffding inequality is that we 
demand that eT 2a N < e, and then solve for a such that 
our demand is satisfied. 

Meanwhile, M denotes the number of signals that Al- 
ice counted as valid, i.e., she registers a round (but not 
necessarily Bob as well). 

Based on e and M, we will need the following defini- 
tions: 
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click 
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lick 
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click 
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(S30) 



where d is the minimum distance of the error-correcting 
code used in the protocol, and n is the number of valid 
rounds that remain. 



Weak string erasure 



C. Theoretical security analysis 



Definition 



In the security proof, we divide the protocol into two 
parts: the first part is Weak String Erasure with Errors 
(WSEE), and the remaining procedure is Bit Commit- 
ment (BC). 



Theoretical parameters 

Next to the experimental parameters defined in the 
Supplementary Tables IS1[ our analysis will make fre- 
quent use of the following parameter definitions. There 
are two more basic parameters in this analysis: M and 



We first provide an informal definition of weak string 
erasure with errors (WSEE). A formal definition can be 
found in [17j . When both Alice and Bob are honest, an 
(n, A, e,p orr )-WSEE scheme provides Alice with a string 
X n and Bob with a randomly chosen subset Is [n], as 
well as a substring Xx- This substring is thereby given 
by the substring Xx (the bits of X n corresponding to the 
indices in I) passed through a binary symmetric channel 
that flips each bit of Xx with probability p orr . 

To specify the security condition against dishonest 
Bob, we first need to quantify the uncertainty of Bob 
about X n , given access to the entire system of a dishon- 
est Bob denoted as B'. This is done by lower bounding 
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the min-entropy of X n conditioned on Bob's information, 

R mia (X n \B') PxnB , := -logP gucss (X"|B') 

P gucss (A"|B') := max P x (x) tv(D x p x l$3l) 

where P gue ss is referred to as the guessing probability, 
namely the probability that Bob correctly guesses A™, 
maximized over all measurement strategies upon his sys- 
tem B' [4p| , The e-smooth min-entropy is defined as 

H^ in (X"|B') PxnB , :=sup H min (X"|B'V (S32) 
p' 

maximized over all states p' such that the purified 
distance C(p',p X "-B>) = \A - F 2 (p , ,px»w) < e, where 
F(p, t) denotes the fidelity of states p and r. Intuitively, 
this quantity behaves like the min-entropy, except with 
a probabilistic error e. 

We can now state the security conditions for an 
(n,A,e,p crr )-WSEE: 

1. Security for Alice: If Alice is honest, then the 
amount of information a dishonest Bob holds about X n is 
limited, i.e. the e-smooth min entropy of X n conditioned 
on a dishonest Bob's information is lower bounded 

- B^ n (X n \B') > A, (S33) 

71 

where A is referred to as the smooth min-entropy rate. 

2. Security for Bob: If Bob is honest, then Alice does 
not have any information X. That is, Alice does not learn 
which bits of X n arc known to Bob. 



Protocol 

In principle, WSEE can be achieved experimentally by 
using any QKD device. However, we emphasize that the 
experimental requirements and analysis differs entirely 
In particular, security of QKD for a particular setup docs 
not imply security of bit commitment. 

Recall from the informal statement of the protocol in 
the main part of our paper that if Alice herself concludes 
that no photon or a multi-photon has been emitted in a 
particular time slot, she simply discards this event and 
tells Bob to discard it as well. Since this action repre- 
sents no security problem for us, we will for simplicity 
omit these events all-together when stating the more de- 
tailed protocol below. This means that M in the protocol 
below, actually refers to the set of post-selected pulses 
that Alice did register as a round. In practice, Alice re- 
ports the missing events to Bob after the waiting time 
has passed. In principle, this could be used to obtain 
better security bounds as Bob does not yet know which 
bits are indeed relevant when he uses his storage device. 
However, we leave such a refined analysis for future work. 



In addition, introducing time slots enables Bob to re- 
port a particular bit as missing, if he obtained no click in 
a particular time slot. Alice and Bob will subsequently 
discard all lost rounds. In the protocol below, we assume 
the detectors have already been symmetrized appropri- 
ately as outlined in the Supplementary Methods IIVBI 
The purpose of symmetrizing is to ensure that losses are 
independent of basis choice, hence Alice cannot obtain 
any information about T by observing the rounds re- 
ported lost by Bob. 



How large is n going to be? Since Alice aborts if Bob 
reports too many rounds as missing, we have that n > 

C 1 - PB,noclick - CB,„oclick) M - If a fixcd n is desired, WC 

can take n = (1 - Pa noclick - CB, n ociick) M as in (EM)}, 
where Alice randomly truncates the resulting string, and 
informs Bob about the truncation. This is the approach 
we take here. In our protocol, there is also a possibility 
that Alice aborts. An abort here means that Alice simply 
generates a random x n as output. This means that our 



Protocol 1: Weak String Erasure with Errors 
(WSEE) 

Outputs: x n e {0,1}" to Alice, (X,^ z l) e 2^ x 
{0, 1}! 1 ' to Bob. 

1. Alice: Chooses a string x M £ R {0, 1} M and 
basis-specifying string 6 Gr {0, 1} uniformly 
at random. 

2. Bob: Chooses a basis string 9 M E R {0, 1} M 
uniformly at random. 

3. In time slot i = 1, . . . , M: 

1. Alice: Encodes bit Xi in the basis 9i (i.e., 
as H 6i \xi)), and sends the resulting state 
to Bob. 

2. Bob: Measures in the basis given by 9i to 
obtain outcome Xi . If Bob obtains no click 
in this time slot, he records round i as lost. 

4. Bob: Reports missing rounds to Alice. 

5. Alice: If the number of rounds that 
Bob reported missing does not lie in the 

interval [(PB ;noc i ick — CB.noclick)-^ (PB,noclick + 

Cb nociick)-^!' then Alice aborts the protocol. 
Otherwise, she deletes all bits from x M that Bob 
reported missing. Let x n £ {0, 1}™ denote the 
remaining bit string, and let 9 n be the basis- 
specifying string for the remaining rounds. Let 
9 n , and x n be the corresponding strings for Bob. 

Both parties wait time At. 

6. Alice: Sends the basis information 9 n to Bob, 
and outputs x n . 

7. Bob: Computes I := {i £ [to] | 6*, ; = ^}, and 
outputs (I, z' 1 ') := (l,xx). 
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protocol does at all times generate a string of length n = 

.noclick 



Protocol 2: Non- Randomized Bit Commit- 
ment(BC) 

By using an binary linear error-correcting code C, let 
Syn:{0, 1}" -> {0, l}"- fc be the function that outputs 
the parity check syndrome for C. Also, select Ext: 
{0, 1}™ x R — > {0, 1}' from a set of 2-universal hash 
functions. 

(A) Commit Phase 

1. Alice and Bob : execute (n, A, e, p err )WSEE. 
Alice obtains X n while Bob obtains Xx and X. 

2. Bob : Checks if \X\ > m. If so, he randomly 
truncates I until \X\ = m. Otherwise, he aborts 
the protocol. 

2. Alice: 

a) computes w=Syn(A") and sends it to Bob. 

b) picks a 2-universal hash function r G_r 7Z and 
sends it to Bob. 

3. Alice: Commits C e {0, 1}' by computing 
D l = Ext(A",r) and sends E l = C l © D l to 
Bob. 

(B) Open Phase 

1. Alice: reveals the complete string X n to Bob. 

2. Bob: Perform checks: 

a) computing the syndrome and check that it 
agrees with w sent by Alice. 

b) checking X n against Xx, ensuring that the 
number of bits that disagree at positions in X lie 
in the interval [(p cn - — aa)m, (p C rr + a.2)rn\. 

3. Bob: If conditions are satisfied, he accepts com- 
mitment and calculates D l = Ext(X n ,r). Both 
of them output C l . 



Analysis 

The analysis of weak sting erasure with errors has al- 
ready been performed in [251 . Essentially, losses allow 
a dishonest Bob to discard a fraction of single-photon 
detection events, and keep more multi-photon events so 
that his chance of guessing X n correctly is increased. The 
resulting min-entropy rate A can thereby be calculated as 
a function of experimental parameters listed in Supple- 
mentary Tables IS11 That is, the min-entropy rate is a 

function Of J5^ ent , P B ,noclick> PB.noclick- and M 

^ = HPsentiPB, noclick; Pb, noclick! M) . (S34) 

In our further analysis, we will hence assume that WSEE 
has been shown secure, and state security as a function 
of a fixed parameter A and fixed n. We then combine the 
two to give explicit security paramters as a function of 
the experimental parameters. 



Bit commitment from weak string erasure 

What remains is to analyse security of the bit commit- 
ment protocol(BC) based on WSEE. An informal defini- 
tion of BC was stated in the introduction, and a formal 
one can be found in jl7j . The protocol below is very sim- 
ilar to the one proposed in [I?} , which gave a BC protocol 
for weak string erasure without errors (i.e., p crT =0). To 
address the case of p crT > 0, we introduce modifications 
to the BC protocol, allowing the modified protocol to 
stay secure up to a certain amount of bit flip error from 
the experimental setup. 



Protocol 

We present the fully modified BC protocol as Protocol 
2, by including WSEE as a sub-protocol. Our protocol 
allows Alice to commit a string D l E {0, 1}' to Bob. How- 
ever, for our experiment we chose to commit only a single 
bit I = 1 which is the scenario typically considered in bit 
commitment. Our protocol makes use of the parameters 
defined in f[S30|) . 



The are two modifications in this protocol compared 
to its previous version in [l7| . The first is the use of a 
different error-correcting code C. We will first provide a 
general analysis to prove the security of bit commitment, 
given that several conditions on both the rate and relative 
minimum distance of the error-correcting code used are 
met. We then show that by generating a binary linear 
code at random, the conditions on minimum distance and 
rate can be satisfied, except for a small probabilistic error 
that can be later added upon the total security error of 
the protocol. 

Note that random codes do not pose a problem when 
executing the protocol since honest parties never need to 
decode. Details of the properties of error-correcting codes 
can be found in the Supplementary Discussion. Secondly, 
the checks performed by Bob in the open phase have been 
modified to account for the existence of bit flip errors, 
such that Bob tolerates a certain limited amount of er- 
rors. 
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Analysis 

Intuitively, bit flip errors in WSEE give Alice more 
freedom to cheat, as a malicious Alice can avoid the 
errors and choose to corrupt the string X n herself. In 
other words, the actual bit flip error p orr in such a 
scenario equals zero. This makes it harder for Bob to 
identify a cheating Alice. This is because whenever 
he finds a discrepancy between Xx and X n , he cannot 
be sure if it was due to a bit flip error or a malicious Alice. 

We now proceed to prove that the protocol is secure, 
except for a minimal probability e when p cir is sufficiently 
small. The proof is done in three steps as shown: 

1. Correctness: If both parties are honest, Bob always 

accepts the commitment except with minimal prob- 
ability. 

2. Security against Alice: For any dishonest Alice, Bob 

detects her attempt to cheat and rejects the com- 
mitment except with minimal probability. 

3. Security against Bob: For any dishonest Bob, he does 

not obtain information about the committed bit 
except with minimal probability. 

a. Correctness We shall first prove the correctness 
of the protocol, namely under the situation that Alice and 
Bob are both honest, Bob always accepts the protocol 
except with some minimal probability e. 

Lemma 1 (Correctness of the protocol). If Alice and 
Bob are both honest, then the protocol is le-correct. 

Proof. There are two steps in this proof. Firstly, we 
show that Bob receives at least m bits from WSEE 
except with probability e. Secondly, we prove that the 
number of erroneous bits Bob picks up is close to the 
expected value p crr m, except for probability e. The total 
probability of error for either events occurring is then 2e 
since failure occurs in cither case. 



at least m bits, we can safely fix the length of Bob's 
substring to be m. 

Again by applying the Hoeffding's inequality, with the 
random variable of interest Z to be the number of erro- 
neous bits Bob obtains, 

Pi[\Z - p elI m\ > a 2 m] < 2e~ 2a ^ m < e (S36) 



again by using a 2 as defined in (|S30[) . Hence the correct- 
ness of the protocol is guaranteed except for probability 
2e. □ 

b. Security against dishonest Alice We now proceed 
to prove security against Alice. Recall that a malicious 
Alice can avoid bit flip errors and tamper with the 
bit string directly. We need to show that no matter 
how Alice tampers with the string, Bob will detect her 
cheating with probability close to unity. 

Previously [l?} for p CII = , whenever Bob checks Xx 
against X n and finds one faulty bit, he aborts the proto- 
col directly. However, in a realistic setup Bob accepts a 
number of roughly p m m bits. By properties of the error- 
correcting code, we know from [l7[ that for any attack 
of Alice she has to change at least i such that the Bob 



will accept the syndrome to be consistent [17(. With this, 
we set a constraint on the code distance used such that 
whenever Alice attempts to cheat, Bob picks up enough 
faulty bits to detect the cheating except for some minimal 
probability. 

Lemma 2 (Security against Alice). If Bob is honest, 
given that Alice and Bob use an error- correcting code 
with minimum distance d > gfrsdgaMizgOli , the pair 

2 a 3 

of protocols (Commit, Open) is It-binding. 

Proof. In our proof we assume that a malicious Alice can 
avoid all bit flip errors in WSEE, so that the scenario 
reduces to WSE where p e rr = 0. From the proof of 
correctness, we know that Bob obtains enough bits from 
WSEE except with probability e. 



Since each bit Xi from Alice is obtained by Bob with 
probability i, by applying the Hoeffding's inequality to 
the random variable Y = \I\, i.e. the length of substring 
Bob obtains from WSEE, we see that 



Pt[Y <(±-a x )n] <e 



< e, 



(S35) 



where n is the length of string X n Alice has. Using 
ct\ defined in (|S30[) allows Bob to get at least m bits 
except for probability e. Note that the probability 1/2 
is determined by Bob's random choice of basis, and is 
independent of p m . 

We then proceed to show that the number of erroneous 
bits Bob expects to obtain lie within the interval [(p e rr — 
a 2 )m, (perr + ot 2 )m] except for some probability e. Note 
that since previously we have shown that Bob obtains 



For any general attack Alice can attempt, to satisfy 
Bob's check on the syndrome she has to change at least 
| bits in the original string X n , where d is the code dis- 
tance [l?} • Since Bob picks up each faulty bit with prob- 
ability i, by defining W to be the number of faulty bits 
where Bob obtains in his substring, and applying Hoeffd- 
ing's inequality, 



< e 



-aid 



(S37) 



We see that Bob picks up at least {\ — a^)i flipped 
bits except with probability e, for as defined in 
(|S30[) . Combining with the fact that Bob accepts at most 
(Pen- + a<i)m bits, we require 



(9 - "3)2 > IPerr + U 2 )m. 



(S38) 
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The requirement for code distance is then given by 

2(Perr + "2X5 ~ Oi X )n 



d > 



a 3 



(S39) 



Hence generally when Alice and Bob use a code with 
minimum distance that satisfies the above requirement, 
whenever Alice attempts to cheat, the pair of protocols 
is proven to be 2e-binding. □ 

c. Security against dishonest Bob Subsequently, we 
prove security against Bob. Recall that a cheating Bob 
can first make arbitrary measurements and store some 
classical information, and then keep some quantum in- 
formation in this noisy-storage device. The overall state 
of Bob's system can then be described as a ccq-state 
Px n KQj r (Q)i where K being Bob's classical information 
obtained from measurements, being Alice's basis in- 
formation, and F{Q) being Bob's quantum information 
stored in an imperfect quantum memory. 

To quantify the e-smooth min-entropy of Bob's infor- 
mation about Alice's string X n , we proceed as in 17j: We 
first bound Bob's ignorance about X n based on his clas- 
sical information K alone. Second, we then relate this 
bound to his ignorance about X n given K and F{Q). 
This yields security statements in terms of the classical 
capacity of T . Note that it is known that for very many 
channels better security bounds are possible in terms 
of the entanglement cost [22j and the quantum capac- 
ity [2^. However, the classical capacity is still much bet- 
ter understood and offers explicit parameters for many 
interesting channels. In contrast, e.g. the quantum ca- 
pacity of the depolarizing channel is not known. 

To bound Bob's ignorance given K alone, we invoke 
our results of [4l[ as stated in the following theorem: 

Theorem 3 (Uncertainty relation [ll|). If Alice is hon- 
est, the e-smooth min-entropy of Bob's information about 
X n is 



W min (X n \e n K) > g(s)n 



21oge- 1 



(S40) 



wht 



g(s) = — [log(l + 2 s ) - (1 + s)} (S41) 

s 

for any < s < 1. 

Theorem [3] gives us a bound on the min-entropy rate 
of Bob's classical information of X n , whenever Alice is 
honest. We then use Lemma 2.2 from [n} to bound 
the min-entropy rate of X n when he has the ccq-state 

Lemma 4 (Min-entropy with quantum side informa- 
tion, [17|). Consider an arbitrary ccq-state pxTQ, an d 
let e,e' > be arbitrary. Let T : B{Uq) B{H Q ) be 



an arbitrary CPTPM representing a quantum channel. 
Then 

R^(X n \TF(Q)) >-\o g Pf ucc (\_tf min (X n \T)-\og±\ 

(S42)' 



with 



p Lc(R n ) ■= . max — ^ V tx{D v F{p y )) 

\PvSvA D viv L ,,„„ 



ye{o,i}"« 



(S43) 



where the maximum is taken over all encodings {p y } and 
decoding POVMs {D y } y of classical symbols y. 

Note that this bound is dependent on the properties 
of the quantum storage device T . For example, if the 
memory were to be of arbitrarily large size and noise- 
less, the success probability P^ cc (Rn) is always 1, and 
the min-entropy of Bob's information about X n would 
be simply zero. However, the assumption of noisy and 
bounded storage comes in here to give a sufficiently high 
min-entropy which is crucial for the security proof. For 
simplicity in further proofs, we also introduce a simpler 
version, considering only bounded storage, which is a 
simple consequence of the chain rule and monotonicity 
of the min-entropy [IH, [27j ■ 

Corollary 5 (Min-entropy for bounded quantum stor- 
age). Assuming the min-entropy of Bob's information of 
X n be H^ yo {X n \T) , and Bob has a perfect quantum mem- 
ory Q that can store S qubits. 



R^n(X n \TQ)>R^n(X n \T)-S. 



(S44) 



With the above Theorem[3jand LcmmaHJ we can prove 
security against Bob in two steps. First, we show that if 
Alice is honest, the min-entropy rate of Bob's information 
about the string X n is lower bounded by An for some 
A. Then, by using privacy amplification, we show that 
the cq-state of C l and Bob's information is 2e-close to a 
product state, with C l having uniform distribution over 
{0, 1}'. As we are only interested in commiting a single 
bit in this experiment, we will restrict our statement to 
the case of I = 1. A more general statement can be 
derived analogously. 

Lemma 6 (Security against Bob) . For a fixed parameter 
e, define A to be the ^-smooth min-entropy rate of Bob's 
information about X n . If Alice is honest, and if the code 
rate satisfies 



R>l-X 



21ogi 



(S45) 



then the pair of protocols (Commit, Open) are 2e-hiding 
for 1 = 1, i.e. the commitment of a single bit. 

Proof. After executing WSEE, by using Theorem [3] and 
Theorem O Bob's ^-smooth min-entropy about X n can 
be evaluated. Note that by sending the syndrome he 
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obtains additional information about X n , and this is ac- 
counted for by the chain rule and monotonicity property 
of min-entropy p?^ . 

H^ in (X n \B', Syn(X")) > H^ in (X n \B') L. (S46) 

where L is the length of the syndrome. Recall that the 
length of syndrome is L = n — k = (1 — i?)n, where R = ^ 
is the code rate. Hence, we have 



H^ n (X n \B>, Syn(X")) > (A — 1 + R)r 



(S47) 



which denotes the min-entropy rate of Bob's total 
information about X n at the end of the commit phase. 

Next, we show that by privacy amplification Bob does 
not gain knowledge about the committed information C l . 
Denoting the committed string as C l = Ext(X",i?) <E 
{0, 1}' having length I we have from [27} that 

PC,B'Syn(X") ~e' T {0,1} ! ®PB',Syn(X") (S48) 

where 

e' = 2e Q + 2 -»„(*"|B',Syn(x")M]-i (S49) 

and T4 is the uniform distribution over the entire set A. 
Setting e Q = |, 

e' = e + - ■ 2-^K° l J xn \ B ' ■Syn(x n ))-i] 



Setting the second term in (|S50j) to be e, and setting 
1 = 1, this implies 



A-l + fi -l>- 21 ° ge + 2 , 
n n 



(S51) 



Rearranging gives (|S45j) . In the large n limit, we re- 
quire R>l — \. □ 

With this, we end the security proof against Bob. 

In summary, we have derived conditions on the relative 
minimum distance 6 = — and the code rate R for where 
the protocol is secure. By combining Lemma [1] Lemma 
[2] and Lemma [6j we summarize these results into the 
following theorem: 

Theorem 7 (Conditions for successful execution of the 
BC protocol). Let n £ N, e > and A > 0. // the error 
correcting code used satisfies the following requirements: 



Relative 



minimum 



distance: 8 > 2{p °" + r )C *- ai) . 



Code rate: R > 1 — A 



2 log I 



The final part of the theoretical analysis is to discuss 
the feasibility of finding an error-correcting code that 
satisfies the requirements stated in Theorem [7] Clearly, 
there exists a trade-off between parameters of code rate 
R and relative minimum distance i5. We make use of 
Theorem [T] to argue that once the parity check matrix of 
a code with rate R is randomly generated, its distance 
is lower bounded except for an extremely small proba- 
bility. Subsequently, by using Theorem [7] and Theorem 
[TJ we evaluate an optimal parameter n = 2.5 x 10 5 in 
the Supplementary Methods IIVDI which is used in our 
experiment, and show that for such a block length, the 
bit commitment protocol is secure except for an error 
3 • 1CT 4 . 

Also, by combining Theorem [7] with Theorem [lj we 
provide a cleaner expression for the bound on minimum 
distance accompanied by a lower bound on the block 
length such that security can be achieved: 

Theorem 8 (Secure bit commitment). Let e > 0, A > 
0.3, (i £ (0,0.01], 5 £ [0.05,0.11], and 



1 , 2 
n > -52 log - 



(S52) 



Also, denote h(x) = — xlogx — (1 — x) log(l — x) as the 
binary entropy function. 

If the bit flip error rate satisfies 



Pi 



rr < (1 - Ay/hP) 



ft 



2 ^/T=2p , 



(S53) 



and the smooth min-entropy rate satisfies 

\>h{S) + 3/3 2 , (S54) 

then the bit commitment protocol is 3e-secure by using a 
randomly generated error- correcting code. 



Proof. Fix e and assume that 



n V n 



(S55) 



This is achieved for any f3, provided (|S52j) is true. Hence 
from (|S30[) . we have 

< ai < 0. (S56) 
Plugging this into m = (g — a\)n gives 



' In 



OL 2 



< 



2m ~ VI ~ W 



(S57) 



Meanwhile, assume that <5 > 0.05. This leads to the 
condition that A > 0.3 which is generally achieved. 



then Protocol 2 is 2e-correct, 2e-binding and 2e-hiding. 



a 3 < V20/3. 



(S58) 
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Plugging ([556]) . (|557|) . and (|S58| into the condition on 
minimum distance given in Theorem [Jj we obtain 



5 > 2 



Pe™ + y/1-2,8 2(p crr + a 2 ){\ - Oil) 

l-4\/5/3 



a 3 



(S59) 



Rearranging, we obtain (|S53[) . 

To derive (|S54[) . we first use Theorem[T] By setting the 
additional error from the generation of random codes to 
be smaller than e, we obtain 



R < 1 - h(S) 



logi 



(S60) 



Combining this with the condition on code rate R given 
in Theorem [7J we have 



l-h{5) > 1-A + 
A > h(5) + 3 



log 1 
n 

logi 



(S61) 



which is satisfied if (|S54j) is true. The total execution 
error of Protocol 2 becomes 3e, where 2e comes from 
the execution error in Theorem [7j and additional e ac- 
counts for the probability that a randomly generated 
error-correcting code does not fulfill the requirement on 
relative minimum distance 5. □ 



(|S52p provides us with a lower bound on n for a secure 
implementation. Note that this lower bound is non-tight, 
due to the approximations made while deriving bounds 
for (fS56f , JSSTJ, and (fS58|) . Also, it is stressed that The- 
orem [1] gives a general proof for a randomly generated 
error-correcting code. This approach is taken because 
systematic ways of constructing such binary linear codes 
are not known, and the task of evaluating the minimum 
distance of a given code is NP-hard. However, as out- 
lined in the Supplementary Discussion [Hi] it is well known 
that the probability of generating a code with undesir- 
able properties is minimal and added as a source of error 
in the protocol. It is also worth noting that a random 
code allows for easy execution of the protocol, since the 
only computation involved for honest parties is the cal- 
culation of the syndrome. That is, Alice and Bob never 
need to decode. 



D. Range of experimental parameters for 
implementation 

In this section, we provide full statements about the 
security of commitments, by combining the analysis ac- 
counting for both erasures (WSEE) and errors (BC). We 
work towards a simplified expression for the rate of com- 
mitment, i.e. to commit one bit securely, what is the 
required number of signals to send. We present region 
plots showing where security holds for the protocol. 



For security, we first note that the analysis of bit flip 
errors requires a minimum guaranteed amount of min- 
cntropy A for the commitment to be secure. This is seen 
in Lemma[6]where the lower bound for code rate R can be 
translated into a lower bound for the min-entropy rate. 
The main condition for feasibility of bit commitment is 
then given by 



A > A. 



(S62) 



The following theorem shows A by considering a ran- 
domly generated binary linear code. 

Theorem 9. By fixing an error parameter e which indi- 
cates the error for the generation of a random code. If 
and given the parameter 6, which is the relative mini- 
mum distance of the code required, as determined by p Qrr 
by using (|S59[) , 



A = h(S) + 



3 logi 



(S63) 



On the other hand, we need to evaluate a bound on the 
min-entropy rate A created according to the parameters 

Psenti PB.noclick and 2>B,nocUck- We be g in b Y defining two 

relevant fractional quantities: 



TO left 
^frac 



Psont 



PB.noclick +PB,noclick '^C 



Pb, 



click 



(S64) 
(S65) 



where £ = \J . The smooth min-entropy rate can 
then be evaluated, by invoking the bounded, or in general 
noisy storage assumption. We refer to below for some 
examples. 



Example: bounded storage 

We state a theorem describing the number of signals 
M needed to send for a secure commitment, given the 
relevant experimental parameters and assuming the case 
of bounded storage. It is worth stressing again that n 
denotes the block length used in the commitment, 
while M denotes the number of signals sent from 
Alice to Bob. These quantities are related by the ex- 
pressions given in (|S30[) . 

Lemma 10. Let a dishonest Bob's storage size be 
bounded by S. For fixed parameters S and e, and given 
the experimental probabilities listed in Table I, and for 
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some £,7 € (0,0.01], let 



m 2 
m 3 

L' 
A 

8 

Ah 
M 2 
M 3 
M A 



Pscnt 



Pb .noclick + Pb, 



click 



37 



noclick 

-l 



max 

se(o,i] s 



[log(l 



3e 
s 



1-4^5/3 



l0£ 



1 



e ■ m 2 

log I 

(m 3 - 7)/3 2 
S 



(S66) 



TO2L' — TO3A 

For security to hold at all, the following is required: 

m 2 L' - m 3 X > 0. (S67) 

If (|S67[) is true, then bit commitment can be im- 
plemented 3e- securely by using a randomly constructed 
error- correcting code, whenever 

M > max {M l , M 2 , M 3 , M 4 }. (S68) 

Proof. By the analysis of [25| . the min-entropy rate has 
the form 



A = 



m 



left 



mfr, 



where 
L = 



max [log(l + 2 6 

se(o,i] s 



1 



31ogi 



m left ' M 



(S69) 



(S70) 



Note that C is dependent on M, and its value decreases 
while M increases. Setting Q < 7 which is a constant, 
provides an lower bound for M, which gives the value for 
Mi depending on the chosen 7. 



where the quantum channel satisfies a strong converse re- 
lation as in [l7l ] . the ^-smooth min-entropy can be eval- 
uated by 

Hit:"{X n \Q n KF(Q)) 



>- log PfZ 3 



H< a (X n \e n K)-log±- 



5-7 



'H< n (X n \Q n K)-log±' 



(S72) 



where 7^ is the strong converse parameter of the quan- 
tum channel. For a fixed error parameter e, e' and e" 
should be chosen such that e' + e" = | . Compared to the 
analysis in [25| . where the storage size is determined by 
introducing a storage rate quantity v, in this analysis we 
work with the quantity S, which is the maximum number 
of qubits Bob is able to store. To use this quantity in the 
analysis, we invoke the bounded storage assumption that 
Bob cannot store more than S qubits, then calculate the 
conditions for security. For example, in the setting of de- 
polarizing noise for a two-dimensional quantum channel, 
the strong converse parameter is given by the following 
expression 
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1 M {R) 
C 
P 



a - 1 - 
max (R — C) 

a>l a 



1 - 
1 + 



1 - a 
r 



log[p a + (l-p) a ] 



(S73) 



Our experiment 

We state again the bounds of experimental parameters 
as derived: 



rP 



Pscnt 
Pscnt 



^scnt 



n n>l 

I 111 



, noclick 
Pcrr 



1 
1 

0.909, 
0.0412 



n n>l 
.Fscnt 



> 0.125 
> 0.99947 



(S74) 



■M 



< e provides M 2 and L > V . N ote that p\ noclick and p CII are values obtained after 



Similarly, setting 
M3 comes from the condition given for n at (|S52|) . while 



M 



> 



m 3 — 7 



Lastly, 



A > 



m 2 • V — - 
m 3 



M 



> A 



(S71) 



provides the main condition for security to hold at all 
(S=0), while rearranging gives the value for M4. □ 



Example: noisy storage 

Lemma [TO] gives the case for bounded storage model, 
with no quantum noise assumed for cheating Bob's stor- 
age device. For a more general noisy storage assumption, 



the symmetrization procedures on both Alice's and Bob's 
side. 

Bounds on n (and M) derived based on Thcorcm[5]and 
Lemma [TUl are non-tight. Here, we use an optimal block 
length such that the classical information post-processing 
is minimal. We summarize the calculations in the follow- 
ing steps: 



1: 



Fix e and n: Firstly, we set e = 0.99 x 10 -5 , and 
n = 2.5 x 10 5 . By doing so, all relevant parameters 
in (|S30[) can be evaluated, except for a 3 which will 
depend on the error-correcting code. M is known 
by its relation with n as stated in (|S30[) . where this 
is justified by a detailed explanation offered right 
after Protocol 1. 
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: Evaluate relative minimum distance 5: By 

performing a numerical optimization that satisfies 
the condition on relative distance, as stated in The- 
oremCO we obtain S > 0.998201. 

: Set e co de- To obtain a code that with 5 that satis- 
fies the condition as evaluated in step 2, we use 
Theorem [TJ First, we need to set an e coc j e = 
2 x 10~ 7 , which bounds the probabilistic error for 
generating a bad random code. By doing so, we 
pose an upper bound upon the code rate R. Using 
R = 0.531 satisfies this condition. By using The- 
orem [71 the protocol is secure provided that the 
|-smooth min entropy rate A > 0.469133. 

: Evaluate storage assumption: By using 
PB,nociick> PB,nochck' Pscnt* M an d e, evaluate and 



optimize A for different storage noise and storage 
sizes S, such that A satisfies the condition in Step 
3. 

5: Evaluate total execution error: The total exe- 
cution error is then evaluated as e to tai = 2e+e co( 2e = 
2 x 10- 5 . 

For the bounded storage assumption, the commit- 
ment is secure whenever dishonest Bob's storage size is 
bounded by Sbounded — 928 qubits. For the noisy stor- 
age assumption, we can use (|S72[) and maximize over all 
choices of e' and e". For a depolarizing noise of noise 
parameter r = 0.9, the commitment is secure whenever 
Bob's storage size is bounded by S no i sy = 972 qubits. 
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